Dridex: Analysis of the traffic and automatic generation of IOCs

2016 Information Security for South Africa (ISSA) Pub Date : 2016-08-01 DOI:10.1109/ISSA.2016.7802932

L. Rudman, B. Irwin

{"title":"Dridex: Analysis of the traffic and automatic generation of IOCs","authors":"L. Rudman, B. Irwin","doi":"10.1109/ISSA.2016.7802932","DOIUrl":null,"url":null,"abstract":"In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.","PeriodicalId":330340,"journal":{"name":"2016 Information Security for South Africa (ISSA)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 Information Security for South Africa (ISSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSA.2016.7802932","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 15

Abstract

In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Dridex:流量分析和ioc自动生成

在本文中，我们提出了一个框架，在动态运行时分析后，从恶意软件样本自动生成网络危害指标(IOC)。该框架解决了手工生成危害指示器的局限性，并利用沙盒环境执行恶意软件分析。我们专注于从动态恶意软件分析生成的捕获流量文件(pcap)中生成基于网络的ioc。本文使用Cuckoo Sandbox环境进行分析，并对其设置进行了详细描述。因此，我们将讨论IOCs的概念和流行的格式，因为目前还没有标准。作为概念验证框架如何使用的一个例子，我们选择了100个Dridex恶意软件样本，并评估了流量，并展示了可用于生成基于网络的ioc的方法。我们的系统结果证实，我们可以通过动态恶意软件分析创建IOCs，并避免来自沙箱系统的合法后台流量。我们还简要讨论了生成的ioc的共享和应用，以及可用于共享它们的系统的数量。最后，我们讨论了它们如何在打击网络威胁方面发挥作用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2016 Information Security for South Africa (ISSA)

自引率

0.00%

发文量